The Department of Government Efficiency is currently facing numerous lawsuits alleging that its access to sensitive data violates the Privacy Act of 1974, a regulation inspired by the Watergate scandal. These lawsuits seek to halt the group’s activities. Recently, this department reduced staff at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and gained access to CISA’s digital systems, shortly after the agency had suspended its election security initiatives, which had been active for eight years.
The National Institute of Standards and Technology (NIST) is anticipating the dismissal of approximately 500 employees this week. This reduction poses potential risks to the institute’s cybersecurity standards and software vulnerability tracking functions. Similarly, the US Digital Service experienced cuts last week, which included the removal of the cybersecurity lead responsible for the central Veterans Affairs portal, VA.gov. This change raises concerns about increased vulnerability in VA systems and data.
In response to aggressive Chinese digital espionage campaigns, multiple US government departments are contemplating banning TP-Link routers manufactured in China. The company has denied any involvement in cyberattacks. In related developments, a WIRED investigation revealed that Google’s ad technology permits targeting categories that contradict the company’s policies, such as individuals with chronic illnesses or those in debt. Furthermore, advertisers could target national security “decision makers” and those involved in developing classified defense technology.
Recently, Google researchers disclosed that hackers linked to Russia have been luring Ukrainian soldiers with fake QR codes for Signal group invites that exploit a flaw, allowing spying on targeted messages. Signal has since implemented updates to prevent such exploitation. A WIRED deep dive highlights the challenges faced by even the most connected web users in removing nonconsensual intimate images and videos from the internet.
In other news, a record-setting cryptocurrency theft was reported by ByBit, where hackers used a “masked transaction” to manipulate the smart contract code controlling the exchange’s Ethereum holdings, resulting in a loss of $1.4 billion. ByBit’s CEO, Ben Zhou, assured that the exchange remains solvent and that withdrawals are unaffected. He indicated that the platform would cover the loss, reassuring users about the security of their funds.
Earlier this month, the UK government raised privacy concerns by demanding access to users’ end-to-end encrypted iCloud data from Apple. Although initially protected by Apple’s Advanced Data Protection feature, Apple disabled this encryption in the UK under government pressure, expressing hope to restore such security in the future. Privacy advocates argue this move weakens the security and privacy of British citizens and exposes tech companies to similar demands from other governments.
Finally, security vulnerabilities in stalkerware apps Cocospy and Spyic, believed to be developed in China and sharing the same source code, resulted in the exposure of data from millions of victims. A security researcher discovered the flaw and reported it, with exposed data including messages, call logs, and photos. Ironically, the vulnerability also revealed email addresses of the apps’ registered users, implicating those who installed the apps to spy on victims.
